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DETAILED ACTION 

1. Claims 1 - 16 are pending. 

Response to Arguments 

2. Applicant's arguments directed towards claims 1 and 12-15, filed 12/21/2005 
have been fully considered but they are not persuasive. 

However, Applicant's arguments with respect to added limitations in claims 1,12, 

/ 

t 

13,14 and 15 have been considered but are moot in view of the new ground(s) of 
rejection. 

3. Applicant had further argued on pages 10-11 that in claim 3 Davis fails to teach 
a process at the client data processing system applying the cipher function to the client 
password which corresponds to the stored cipher-protected client password, wherein 
the cipher function is an encryption algorithm. Examiner respectfully disagrees. Davis 
teaches a process at the client data processing system applying the cipher function to 
the client password which corresponds to the stored cipher-protected client password, 
wherein the cipher function is an encryption algorithm (Davis, Col. 2 Lines 4-14). 
Encryption is the masking of data to prevent unauthorized persons from obtaining the 
passwords. Hashing is a form of masking data to prevent unauthorized persons from 
viewing the information. Evidence of this is provided in the attached Technical 
Dictionary. 

4. Applicant has further argued on pages 12-13 that in claim 9 Davis in view of 
Yatsukawa fails to teach that the server data processing system's password repository 
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is preferably integrated within the operating system of the server data processing 
system. Examiner respectfully disagrees. Davis in view of Yatsukawa teaches that the 
server data processing system's password repository is preferably integrated within the 
operating system of the server data processing system (Yatsukawa, Col. 15 Lines 5 - 
10 and Col. 19 Lines 26 - 36). The server is integrated with an OS system, which does 
not necessarily have to coincide with the OS on the client side. The server includes the 
database for authentication, which is thus integrated with the OS of the server. 

5. Applicant's arguments in regards to 35 U.S.C.1 12 rejections have been 
considered and are deemed persuasive. The claim 35 U.S.C. 112 rejections have been 
withdrawn from this action. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill In the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

6. Claims 1 - 3, 6 - 8 and 12 - 16 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Davis et al. U.S. Patent No. (6,064,736) in view of OIkin et al. US-PG 
Publication No. (2003/0046533). 

7. As per claim 1 , Davis teaches a process at the client data processing system 
applying the cipher function to the client password, which corresponds to the stored 
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cipher-protected client password, thereby to generate a cipher-protected client 
password, which is equivalent to the stored cipher-protected client password; (Davis, 
Fig.3, Item 321, Client hashes password) and performing an authentication check using 
the client data processing system's cipher-protected client password and the server 
data processing system's stored cipher-protected client password as a shared secret for 
said authentication check (Davis, Fig. 3, Col. 4 Lines 42 - 56) but fails to disclose the 
authentication check is adapted to be performed without having the client password in a 
cleartext format on the server data processing system. 

However, in an analogous art, OIkin teaches disclose the authentication check is 
adapted to be performed without having the client password in a cleartext format on the 
server data processing system (OIkin, Paragraph 0150). 

Therefore, it would have been obvious to a person of ordinary skill in the art at 
the time the invention was made to use OIkin's secure email system with Davis' 
password verification method and system, because it offers the advantage of a highly 
secure form of network communications between a sender and receiver (OIkin, 
Paragraph 0023). 

8. As per claim 2 Davis as modified teaches an authentication check includes 
performing a mutual challenge-response authentication protocol check (Davis, Fig. 3, 
Items 319, 321, 323. 327, 329, 331 and 333). 

9. As per claim 3 Davis teaches the cipher function is an encryption algorithm 
(Davis, Col. 4, Lines 50 - 52). 
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10. As per claim 6 Davis as modified teaches the cipher function is a hash function 
(Davis, Col. 4. Lines 50 - 52). 

11. As per claim 7 Davis as modified teaches a process at the server data 
processing system retrieving from the repository the respective token for a stored 
cipher-protected client password, and transmitting the token to a client data processing 
system (Davis, Col. 5, Lines 11-14) and the process at the client data processing 
system applying the cipher function to the combination of the transmitted token and the 
client password which corresponds to the stored cipher-protected client password, 
thereby to generate the equivalent cipher-protected client password for use as a shared 
secret (Davis, Col. 5, Lines 18-31). 

12. As per claim 8 Davis as modified teaches the token is a random number (Davis, 
Col. 5. Lines 11 - 13, salt). 

13. As per claims 12-15 Davis teaches a process at the server data processing 
system retrieving from the repository the respective token for a stored cipher-protected 
client password (Davis, Fig 5 Item 31 1), and transmitting the token to a client data 
processing system (Davis, Col. 5, Lines 1 1 - 20), a process at the client data processing 
system applying the cipher function to the combination of the transmitted token and the 
client password which corresponds to the stored cipher-protected client password 
(Davis, Col. 5 Lines 23- 24), thereby to generate a cipher-protected client password 
which is equivalent to the stored cipher-protected client password (Davis, Fig. 5 Item 
521), and using the client data processing system's cipher-protected client password 
and the server data processing system's stored cipher-protected client password as a 
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shared secret for a mutual challenge-response authentication check (Davis, Fig. 5 Items 
327, 329, 531, 333 and 335) but fails to disclose the authentication check is adapted to 
be performed without having the client password in a cleartext format on the server data 
processing system. 

14. However, in an analogous art, OIkin teaches disclose the authentication check is 
adapted to be performed without having the client password in a cleartext format on the 
server data processing system (OIkin, Paragraph 0150). 

15. Therefore, it would have been obvious to a person of ordinary skill in the art at 
the time the invention was made to use OIkin's secure email system with Davis' 
password verification method and system, because it offers the advantage of a highly 
secure form of network communications between a sender and receiver (OIkin, 
Paragraph 0023). 

16. As per claim 16 Davis as modified teaches generating a cipher-protected client 
password by applying said first cipher function to the clients password, thereby to 
provide the client and server processes with a shared secret (Davis, Col. 5 Lines 11- 
13), generating a client response and counter-challenge to the server challenge, the 
client response and counter-challenge including a message authentication code 
computed using the cipher-protected client password (Davis. Fig. 5, Items 521 and 
523), foHA/arding the client response and counter-challenge to the server process 
(Davis, Fig. 5, Item 329) receiving the forwarded server response; generating an 
anticipated server response and comparing the received and anticipated server 
responses to determine whether they match; and in response to a positive match, 
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confirming successful authentication (Davis. Fig. 5, items 531, 533 and 335). 

17. Claim 4, 5, 9.10 and 11 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Davis et al. U.S. Patent No. (6.064,736) and OIkin et al. US-PG 
Publication No. (2003/0046533) as applied to claims 1 and 12 - 15 and in view of 
Yatsukawa U.S. Patent No. (6,148.404). 

18. As per claim 4, Davis in combination with OIkin fail to teach an authentication 
check comprises generating a common secret session key at both the client and server 
data processing systems, using the generated encrypted client password at the client 
and the stored encrypted client password at the server, and using this common secret 
session key in a mutual challenge-response authentication protocol. However, 
Yatsukawa teaches an authentication check comprises generating a common secret 
session key at both the client and server data processing systems, using the generated 
encrypted client password at the client and the stored encrypted client password at the 
server, and using this common secret session key in a mutual challenge-response 
authentication protocol (Yatsukawa, Col. 19, Lines 62 - 67). 

19. At the time the invention was made, it would have been obvious to a person of 
ordinary skill in the art to us a common session-key with Davis' password verification 
method and system, because it offers the advantage of confidentiality by limiting the 
chance of leakage of information between client and server along with unauthorized 
intrusion (Yatsukawa, Col. 1 Lines 35 - 42). 
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20. As per claim 5, Davis as modified teaches a secret session key is generated by 
applying a cipher function to each of the generated encrypted client password at the 
client and the stored encrypted client password at the server (Col. 3, Lines 52 - 55). 

21 . As per claim 9 Davis as modified fails to teach the server processing system's 
password repository is preferably integrated within the operating system of the server 
data processing system. However, Yatsukawa teaches the server processing system's 
password repository is preferably integrated within the operating system of the server 
data processing system (Yatsukawa, Col. 19, Lines 1 -6). 

22. At the time the invention was made it would have been obvious to a person of 
ordinary skill in the art to use an operating system with Davis' password verification 
method and system, because it offers the advantage of increasing the confidentiality 
and integrity to a system. (Yatsukawa, Col. 1 , Lines 33 - 38). 

23. As per claim 10 Davis as modified teaches the operating system is an operating 
system conforming to the UNIX operating system standard or derived from a UNIX 
conforming system (Yatsukawa, Col. 19, Lines 3-6). 

24. As per claim 1 1 Davis teaches the encryption algorithm is provided by the UNIX 
crypto function (Davis, Col. 5, Lines 13 - 16). 

Conclusion 

25. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
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§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

26. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Roderick Tolentino whose telephone number is (571) 
272-2661 . The examiner can nonnally be reached on 8:00am - 4:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Greg Morse can be reached on (571) 272-3838. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status infonnation for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status infonnation for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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